{"id":10493,"date":"2021-04-21T09:00:00","date_gmt":"2021-04-21T08:00:00","guid":{"rendered":"https:\/\/www.withsecure.com\/resources-hub\/w-labs\/attack-detection-fundamentals-2021-aws-lab-3\/"},"modified":"2021-04-21T09:00:00","modified_gmt":"2021-04-21T08:00:00","slug":"attack-detection-fundamentals-2021-aws-lab-3","status":"publish","type":"lab_item","link":"https:\/\/www.withsecure.com\/fr\/ressources\/w-labs\/attack-detection-fundamentals-2021-aws-lab-3\/","title":{"rendered":"Attack Detection Fundamentals 2021: AWS &#8211; Lab #3"},"content":{"rendered":"<section\n    class=\"wp-block-one-column-block edwp-block js-wp-block-one-column-block wp-block-one-column-block--content-1 wp-block-one-column-block--meta-sharing layout--spacing-xxxxl-top layout--spacing-xl-bottom\"\n    >\n    <div class=\"wp-block-one-column-block__container\">\n                                                                                                                            <div class='wp-block-one-column-block__meta-sharing-grid'><div class=\"wp-component-content wp-component-content--default wp-block-one-column-block__content fade-in\">\n            <h1 class=\"wp-component-heading text--h2 wp-component-content__title\">\n    Attack Detection Fundamentals 2021: AWS &#8211; <span class=\"blue-text\">Lab #3<\/span><\/h1>                    <div class=\"wp-component-content__inner\">\n                                                    <div class=\"wp-component-content__meta\">\n                                                                            <span class=\"wp-component-content__meta-categories\">\n                                                                    <span class=\"wp-component-content__meta-category\">\n                                        Attack Detection                                    <\/span>\n                                                                    <span class=\"wp-component-content__meta-category\">\n                                        Cloud Security                                    <\/span>\n                                                                    <span class=\"wp-component-content__meta-category\">\n                                        Identity security                                    <\/span>\n                                                            <\/span>\n                                                                                                    <span class=\"wp-component-content__meta-date\">\n                                21 avril, 2021                            <\/span>\n                                                                    <\/div>\n                                            <\/div>\n                <\/div><section\n    class=\"wp-block-sharing-icons edwp-block wp-block-sharing-icons--disable-border wp-block-sharing-icons--content-1 wp-block-sharing-icons--disable-container wp-block-one-column-block__sharing fade-in wp-block-one-column-block__sharing fade-in\"\n    >\n    <div class=\"wp-block-sharing-icons__container\">\n        <div class=\"wp-block-sharing-icons__inner\">\n                            <p class=\"wp-block-sharing-icons__title fade-in\">\n                    Partager cette information                <\/p>\n                        <div class=\"wp-component-socials wp-component-socials--dark-mode\">\n    \n            <a href=\"https:\/\/www.linkedin.com\/shareArticle?mini=true&#038;url=https:\/\/www.withsecure.com\/fr\/ressources\/w-labs\/attack-detection-fundamentals-2021-aws-lab-3\/&#038;title=Attack%20Detection%20Fundamentals%202021:%20AWS%20&#8211;%20Lab%20#3\" target=\"_blank\" rel=\"noreferer noopener\" class=\"wp-component-socials__link\" title=\"Partager sur LinkedIn\">\n            <svg class='edwp-icon edwp-icon--xlg js-icon ' aria-hidden='true'>\n                <use xlink:href='#linkedin'><\/use>\n            <\/svg>        <\/a>\n    \n            <a href=\"http:\/\/x.com\/share?text=Attack Detection Fundamentals 2021: AWS &#8211; Lab #3&#038;url=https:\/\/www.withsecure.com\/fr\/ressources\/w-labs\/attack-detection-fundamentals-2021-aws-lab-3\/\" target=\"_blank\" rel=\"noreferer noopener\" class=\"wp-component-socials__link wp-component-socials__link--twitter\" title=\"Partager sur X (Twitter)\">\n            <svg class='edwp-icon edwp-icon--xlg js-icon ' aria-hidden='true'>\n                <use xlink:href='#x'><\/use>\n            <\/svg>        <\/a>\n    \n    \n    <\/div>\n        <\/div>\n    <\/div>\n<\/section>\n<\/div>                                                                                <\/div>\n<\/section>\n\n\n<section\n    class=\"wp-block-one-column-block edwp-block js-wp-block-one-column-block wp-block-one-column-block--content-1 layout--spacing-xxxl-bottom\"\n    >\n    <div class=\"wp-block-one-column-block__container\">\n                                                                                                                                    <div class=\"wp-component-image__wrapper wp-block-one-column-block__image fade-in\">\n                    <figure class=\"wp-component-image__figure\">\n                                            <img loading=\"lazy\" decoding=\"async\" width=\"1200\" height=\"800\" src=\"https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/ws_labs_insights.jpg.webp\" class=\"wp-component-image\n                            wp-component-image--desktop\n                            wp-component-image--mobile\n                            wp-component-image--ratio-content-25-1 wp-component-image--fit-cover\" alt=\"\" srcset=\"https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/ws_labs_insights.jpg.webp 1200w, https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/ws_labs_insights-300x200.jpg.webp 300w, https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/ws_labs_insights-1024x683.jpg.webp 1024w, https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/ws_labs_insights-768x512.jpg.webp 768w, https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/ws_labs_insights-447x298.jpg.webp 447w, https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/ws_labs_insights-219x146.jpg.webp 219w\" sizes=\"auto, (max-width: 1200px) 100vw, 1200px\" \/>                                                    <\/figure>\n                    <\/div>\n                                                                                <\/div>\n<\/section>\n\n\n<section\n    class=\"wp-block-two-column-block edwp-block js-wp-block-two-column-block wp-block-two-column-block--content-1 wp-block-two-column-block__left--align-y-top wp-block-two-column-block__right--align-y-top wp-block-two-column-block--split-sidebar layout--none-top layout--spacing-xxxl-bottom\"\n    data-block-id=\"block_e217072858aa882f7ed0b57c0e572768\"\n    >\n    <div class=\"wp-block-two-column-block__container row-load\">\n                                                        <div class=\"wp-block-two-column-block__left\">\n                                    <div class=\"wp-component-authors-list wp-block-two-column-block__authors\">\n                    <p class=\"wp-component-authors-list__title\">\n                Authors            <\/p>\n        \n        <div class=\"wp-component-authors-list__items\">\n                                                <div class=\"wp-component-author-card \">\n    <div class=\"wp-component-author-card__media\">\n                    <span class=\"wp-component-author-card__photo-placeholder\" aria-hidden=\"true\">\n                <svg viewBox=\"0 0 64 64\" role=\"presentation\" focusable=\"false\">\n                    <path d=\"M32 34c-8.1 0-14.7 6.6-14.7 14.7v3.5h29.4v-3.5C46.7 40.6 40.1 34 32 34z\"><\/path>\n                    <path d=\"M32 31.2c6 0 10.9-4.9 10.9-10.9S38 9.4 32 9.4s-10.9 4.9-10.9 10.9S26 31.2 32 31.2z\"><\/path>\n                <\/svg>\n            <\/span>\n            <\/div>\n    <div class=\"wp-component-author-card__content\">\n                    <h3 class=\"wp-component-author-card__name\">Alfie Champion<\/h3>\n        \n                \n            <\/div>\n\n<\/div>\n\n                                    <\/div>\n\n            <\/div>\n<nav\n    class=\"wp-component-content-navigation wp-block-two-column-block__content-nav js-content-navigation\"\n    data-bem-base=\"wp-component-content-navigation\"\n    data-nav-column=\"left\"\n    data-nav-type=\"auto\"\n>\n            <p class=\"wp-component-content-navigation__title\">\n            Content        <\/p>\n    \n    <div class=\"wp-component-content-navigation__mobile\">\n        <label class=\"wp-component-content-navigation__mobile-label\">\n            <span class=\"wp-component-content-navigation__mobile-label-text\">\n                Navigation dans le contenu            <\/span>\n            <select class=\"wp-component-content-navigation__select js-content-navigation-select\">\n                <option value=\"\">\n                    S\u00e9lectionnez une section                <\/option>\n                            <\/select>\n        <\/label>\n    <\/div>\n\n    <div class=\"wp-component-content-navigation__desktop\">\n        <div class=\"wp-component-content-navigation__list-wrapper\">\n            <span\n                class=\"wp-component-content-navigation__indicator js-content-navigation-indicator\"\n                aria-hidden=\"true\"\n            ><\/span>\n            <ul class=\"wp-component-content-navigation__list js-content-navigation-list\">\n                            <\/ul>\n        <\/div>\n    <\/div>\n<\/nav>\n<section\n    class=\"wp-block-sharing-icons edwp-block wp-block-sharing-icons--disable-border wp-block-sharing-icons--disable-container wp-block-two-column-block__share wp-block-two-column-block__hide-mobile wp-block-two-column-block__share wp-block-two-column-block__hide-mobile\"\n    >\n    <div class=\"wp-block-sharing-icons__container\">\n        <div class=\"wp-block-sharing-icons__inner\">\n                            <p class=\"wp-block-sharing-icons__title fade-in\">\n                    Share this story                <\/p>\n                        <div class=\"wp-component-socials wp-component-socials--dark-mode\">\n    \n            <a href=\"https:\/\/www.linkedin.com\/shareArticle?mini=true&#038;url=https:\/\/www.withsecure.com\/fr\/ressources\/w-labs\/attack-detection-fundamentals-2021-aws-lab-3\/&#038;title=Attack%20Detection%20Fundamentals%202021:%20AWS%20&#8211;%20Lab%20#3\" target=\"_blank\" rel=\"noreferer noopener\" class=\"wp-component-socials__link\" title=\"Partager sur LinkedIn\">\n            <svg class='edwp-icon edwp-icon--xlg js-icon ' aria-hidden='true'>\n                <use xlink:href='#linkedin'><\/use>\n            <\/svg>        <\/a>\n    \n            <a href=\"http:\/\/x.com\/share?text=Attack Detection Fundamentals 2021: AWS &#8211; Lab #3&#038;url=https:\/\/www.withsecure.com\/fr\/ressources\/w-labs\/attack-detection-fundamentals-2021-aws-lab-3\/\" target=\"_blank\" rel=\"noreferer noopener\" class=\"wp-component-socials__link wp-component-socials__link--twitter\" title=\"Partager sur X (Twitter)\">\n            <svg class='edwp-icon edwp-icon--xlg js-icon ' aria-hidden='true'>\n                <use xlink:href='#x'><\/use>\n            <\/svg>        <\/a>\n    \n    \n    <\/div>\n        <\/div>\n    <\/div>\n<\/section>\n                <\/div>\n                                                <div class=\"wp-block-two-column-block__right\">\n                                <div class=\"wp-component-paragraph wp-block-two-column-block__paragraph \">\n    <p>In part three of WithSecure Consulting&#x27;s Attack Detection Fundamentals workshop series for 2021, we covered an end-to-end kill chain, from initial access and discovery using some &#x27;compromised&#x27; credentials, through to the installation of persistence and the exfiltration of data from an S3 bucket.<\/p>\n<p>The slides and recording for this workshop can be found <a href=\"https:\/\/www.f-secure.com\/content\/dam\/f-secure\/en\/consulting\/events\/collaterals\/digital\/f-secure_attack-detection-fundamentals-workshop-3-aws_2021-04-21.pdf\" target=\"_blank\" rel=\"noopener\">here<\/a> and <a href=\"https:\/\/www.youtube.com\/watch?v=JpELEMm9OsY\" target=\"_blank\" rel=\"noopener\">here<\/a> respectively.<\/p>\n<p>In the <a href=\"https:\/\/labs.withsecure.com\/blog\/attack-detection-fundamentals-2021-aws-lab-2\/\" target=\"_blank\" rel=\"noopener\">previous lab<\/a>, we started making changes to the target account. We leveraged the privileged access of our compromised user to add an additional access key, add a login profile and logged into the web console to take a better look around the account.<\/p>\n<p>In the final lab of this workshop, we&#x27;re turning our attention to the customer data S3 bucket we saw in our user&#x27;s inline policy in lab one. We&#x27;ll explore the files present in the bucket, before downloading the contents to our local system. We&#x27;ll then turn our attention to elevating our privileges to delete the customer data we find. Finally, we&#x27;ll use Athena once more to take a look at the bucket-level and object-level CloudTrail events, as well as the standalone S3 server access logs, we&#x27;ve configured for comparison.<\/p>\n<p>NOTE: The corresponding CloudTrail log can take fifteen minutes or more to arrive following an API call being made, so expect some delay following your activities!<\/p>\n<h2>Required Tools<\/h2>\n<ul>\n<li>An AWS account suitable for testing purposes<\/li>\n<li><a href=\"https:\/\/www.terraform.io\/\" target=\"_blank\" rel=\"noopener\">Terraform<\/a><\/li>\n<li><a href=\"https:\/\/aws.amazon.com\/cli\/\" target=\"_blank\" rel=\"noopener\">AWS CLI<\/a><\/li>\n<li>The lab <a href=\"https:\/\/github.com\/ajpc500\/F-Secure-Attack-Detection-Fundamentals-2021---AWS-Lab-Environment\" target=\"_blank\" rel=\"noopener\">environment<\/a> detailed in <a href=\"https:\/\/labs.withsecure.com\/blog\/attack-detection-fundamentals-2021-aws-lab-1\/\" target=\"_blank\" rel=\"noopener\">lab one<\/a><\/li>\n<\/ul>\n<p>DISCLAMER: Set up of the tools and the testing environment is not covered comprehensively within this lab. We will assume basic familiarity with command line and the ability of the reader to build the necessary tools.<\/p>\n<h2>Walkthrough<\/h2>\n<h3>Exfiltration<\/h3>\n<p>Let&#x27;s start by listing the buckets and their contents to see what&#x27;s worth downloading. Returning to the AWS CLI, we can list all buckets in our account with the below command. This is due to our &quot;s3:ListAllMyBuckets&quot; permission our compromised user is provisioned with.<\/p>\n<figure><img decoding=\"async\" src=\"https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/list-buckets.png.webp\" alt=\"\" class=\"wp-component-image\" \/><\/figure>\n<p>Now that we know the names of the respective buckets, we can attempt to list their contents. Let&#x27;s start with the &quot;Customer Data&quot; bucket.<\/p>\n<figure><img decoding=\"async\" src=\"https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/list-objects.png.webp\" alt=\"\" class=\"wp-component-image\" \/><\/figure>\n<p>Here we can see there are three dummy data files for customers a, b and c. Just for completeness, we&#x27;ll attempt to list the contents of the &quot;Log Storage&quot; bucket too.<\/p>\n<figure><img decoding=\"async\" src=\"https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/list-objects-in-logging-bucket.png.webp\" alt=\"\" class=\"wp-component-image\" \/><\/figure>\n<p>Access denied! If we take another look at the inline policy we retrieved in lab one, we can see this is entirely expected behaviour. We have the ability to list and retrieve objects from our &quot;Customer Data&quot; bucket, and to list all buckets in the account, but there is nothing explicity permitting access to the &quot;Log Storage&quot; bucket, and as such we&#x27;re met with the &quot;AccessDenied&quot; message.<\/p>\n<figure><img decoding=\"async\" src=\"https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/get-user-policy2.png.webp\" alt=\"\" class=\"wp-component-image\" \/><\/figure>\n<p>Turning our attention back to the &quot;Customer Data&quot; bucket we can use the CLI &quot;sync&quot; command to save all files to a directory on the local system.<\/p>\n<figure><img decoding=\"async\" src=\"https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/s3-sync.png.webp\" alt=\"\" class=\"wp-component-image\" \/><\/figure>\n<p>Now we have a local copy of our&#8230; err&#8230; &#x27;sensitive data&#x27; and can turn our attention to a more destructive objective.<\/p>\n<figure><img decoding=\"async\" src=\"https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/cat-synced-data.png.webp\" alt=\"\" class=\"wp-component-image\" \/><\/figure>\n<h3>Impact<\/h3>\n<p>Much like our ability to list the contents of the &quot;Log Storage&quot; bucket, we&#x27;ve only explicitly been granted the &quot;GetObject&quot; privilege on the objects within the &quot;Customer Data&quot; bucket. As such, we don&#x27;t have the ability to delete the customer files.<\/p>\n<figure><img decoding=\"async\" src=\"https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/s3-delete-0.png.webp\" alt=\"\" class=\"wp-component-image\" \/><\/figure>\n<p>Leveraging our &quot;iam:<em>&quot; privilege once more, we can update our compromised user&#x27;s privileges to facilitate this. Firstly, save the below policy document to your local system, we&#x27;ll call it &quot;policy.json&quot;. Note the &quot;GetObject&quot; permission has been replaced with a wildcard &quot;s3:<\/em>&quot;. Unlike the IAM privilege, this policy block specifies the resource affected as &quot;arn:aws:s3:::fsecure-aws-workshop-data-bucket\/<em>&quot; (rather than simply &quot;<\/em>&quot;). This means that within that bucket, we can read, create, modify and delete objects to our heart&#x27;s content.<\/p>\n<pre><code class=\"language-bash\">{\n&quot;Version&quot;: &quot;2012-10-17&quot;,\n&quot;Statement&quot;: [\n{\n&quot;Action&quot;: [\n&quot;s3:*&quot;\n],\n&quot;Effect&quot;: &quot;Allow&quot;,\n&quot;Resource&quot;: &quot;arn:aws:s3:::fsecure-aws-workshop-data-bucket\/*&quot;\n},\n{\n&quot;Action&quot;: [\n&quot;s3:ListBucket&quot;\n],\n&quot;Effect&quot;: &quot;Allow&quot;,\n&quot;Resource&quot;: &quot;arn:aws:s3:::fsecure-aws-workshop-data-bucket&quot;\n},\n{\n&quot;Action&quot;: [\n&quot;s3:ListAllMyBuckets&quot;,\n&quot;iam:*&quot;\n],\n&quot;Effect&quot;: &quot;Allow&quot;,\n&quot;Resource&quot;: &quot;*&quot;\n}\n]\n}<\/code><\/pre>\n<p>With our policy created, we can apply it to the &quot;customer_data_management_user&quot; with the following CLI command:<\/p>\n<pre><code class=\"language-bash\">aws iam put-user-policy --user-name customer_data_management_user --policy-name s3_access --policy-document file:\/\/mnt\/c\/Tools\/data\/policy.json<\/code><\/pre>\n<figure><img decoding=\"async\" src=\"https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/s3-delete-1.png.webp\" alt=\"\" class=\"wp-component-image\" \/><\/figure>\n<p>At this point, we can add a &quot;ransom.txt&quot; file to our local folder and re-execute the &quot;sync&quot; command, switching the source and remote paths. This effectively syncs the S3 bucket with our local directory, rather than the other way around.<\/p>\n<p>From here we can go ahead and delete the customer records and confirm that only the &quot;ransom.txt&quot; file remains.<\/p>\n<figure><img decoding=\"async\" src=\"https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/s3-delete-2.png.webp\" alt=\"\" class=\"wp-component-image\" \/><\/figure>\n<p>When our compromised user&#x27;s owner searches their customer data, they&#x27;ll be met with our demands!<\/p>\n<figure><img decoding=\"async\" src=\"https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/ransom.png.webp\" alt=\"\" class=\"wp-component-image\" \/><\/figure>\n<h2>Detection<\/h2>\n<p>Here we&#x27;ll rely upon our bucket-level and object-level <a href=\"https:\/\/docs.aws.amazon.com\/AmazonS3\/latest\/userguide\/cloudtrail-logging-s3-info.html\" target=\"_blank\" rel=\"noopener\">logging<\/a>. We can confirm that our Terraform scripts have correctly configured data events (and server access logs) in the S3 bucket&#x27;s &quot;Properties&quot; tab.<\/p>\n<figure><img decoding=\"async\" src=\"https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/confirm-s3-logging-scaled.png.webp\" alt=\"\" class=\"wp-component-image\" \/><\/figure>\n<p>Returning to Athena, let&#x27;s start by querying for all events from our compromised user relating to the S3 service. The following query will get us started:<\/p>\n<pre><code class=\"language-bash\">SELECT\neventtime,\neventname,\neventsource,\nrequestparameters,\nerrorcode\nFROM &quot;fsecure_workshop_database&quot;.&quot;cloudtrail_logs_[AWS_ACCOUNT_ID]&quot;\nWHERE userIdentity.username = &#x27;customer_data_management_user&#x27;\nAND eventsource = &#x27;s3.amazonaws.com&#x27;<\/code><\/pre>\n<figure><img decoding=\"async\" src=\"https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/s3-detect-0-scaled.png.webp\" alt=\"\" class=\"wp-component-image\" \/><\/figure>\n<p>Here we can see the bucket-level API call to &quot;ListBuckets&quot;, followed by the object-level calls to &quot;ListObjects&quot; and &quot;GetObjects&quot;. Notably, our &quot;sync&quot; command shows up as three separate &quot;GetObject&quot; calls, meaning we can see the actions taken against specific files in the bucket, rather than a notification that files have been downloaded en masse.<\/p>\n<p>Turning our attention to more destructive efforts, we can view:<\/p>\n<ul>\n<li>our initial failed &quot;DeleteObject&quot; events,<\/li>\n<li>our &quot;PutUserPolicy&quot; call to provision us with the necessary permissions,<\/li>\n<li>our subsequently successful &quot;DeleteObject&quot; events.<\/li>\n<\/ul>\n<p>While cropped in the below screenshot, we can see that the &quot;PutUserPolicy&quot; call includes the full inline policy we&#x27;re applying; highlighting the change from a &quot;s3:GetObject&quot; permission to a relaxed &quot;s3:*&quot;.<\/p>\n<pre><code class=\"language-bash\">SELECT\neventtime,\neventname,\neventsource,\nerrorcode,\nrequestparameters\nFROM &quot;fsecure_workshop_database&quot;.&quot;cloudtrail_logs_[AWS_ACCOUNT_ID]&quot;\nWHERE eventname in (&#x27;PutUserPolicy&#x27;, &#x27;DeleteObject&#x27;)<\/code><\/pre>\n<figure><img decoding=\"async\" src=\"https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/s3-detect-1-scaled.png.webp\" alt=\"\" class=\"wp-component-image\" \/><\/figure>\n<p>As we&#x27;ve provisioned our lab with both S3 data events in CloudTrail and server access logs, we can compare the logs for the same actions. We can fetch filtered events from our second Athena table, &quot;s3_access_logs_[AWS_ACCOUNT_ID]&quot;, with the following query:<\/p>\n<pre><code class=\"language-bash\">SELECT\nrequestdatetime,\nbucket_name,\noperation,\nkey,\nerrorcode\nFROM &quot;fsecure_workshop_database&quot;.&quot;s3_access_logs_[AWS_ACCOUNT_ID]&quot;\nWHERE requester = &#x27;arn:aws:iam::[AWS_ACCOUNT_ID]:user\/customer_data_management_user&#x27;;<\/code><\/pre>\n<figure><img decoding=\"async\" src=\"https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/s3-detect-2-scaled.png.webp\" alt=\"\" class=\"wp-component-image\" \/><\/figure>\n<p>Comparing the metadata available in CloudTrail and our server access logs, we can see some differences between what&#x27;s provided. Aside from the ARN of the user initiating the request, some user details are lost with server access logs. As an example, we can no longer see whether MFA is present for the session. Other API calls against the S3 service, e.g. those modifying ACLs, versioning, encryption, etc. are also outside of the scope of the server access logs.<\/p>\n<h2>Conclusions<\/h2>\n<p>Wrapping up the labs for this workshop, we&#x27;ve gone from some compromised credentials, performed some initial reconnaissance, and gained an understanding of the privileges we hold within the target AWS account. From there we&#x27;ve sought to maintain access to our account by creating a new AWS access key and adding a login profile, subsequently allowing us to browse resources through the AWS management console.<\/p>\n<p>Finally, in this lab, we&#x27;ve exploited our privileges to download customer data from an S3 bucket, before updating the inline policy attached to our user to allow us to delete the customer records and replace them with our &quot;ransom note&quot;.<\/p>\n<p>Throughout the workshop labs, we&#x27;ve used Athena and queried the extensive telemetry provided by CloudTrail (with data events configured) to identify the above activity; considering opportunities to filter based on:<\/p>\n<ul>\n<li>Read-only activity<\/li>\n<li>User Agents<\/li>\n<li>MFA-enabled sessions<\/li>\n<li>Known source IP addresses<\/li>\n<\/ul>\n<p>Finally, we&#x27;ve evaluated the telemetry provided by S3 server access logs. Using Athena once more to consider what these logs do and don&#x27;t provide in comparison to our bucket-level and object-level events in CloudTrail.<\/p>\n<p>Thanks for joining, see you next time!<\/p>\n<\/div>\n<section\n    class=\"wp-block-sharing-icons edwp-block wp-block-sharing-icons--disable-border wp-block-sharing-icons--disable-container wp-block-two-column-block__share wp-block-two-column-block__mobile-after-right wp-block-two-column-block__share wp-block-two-column-block__mobile-after-right\"\n    >\n    <div class=\"wp-block-sharing-icons__container\">\n        <div class=\"wp-block-sharing-icons__inner\">\n                            <p class=\"wp-block-sharing-icons__title fade-in\">\n                    Share this story                <\/p>\n                        <div class=\"wp-component-socials wp-component-socials--dark-mode\">\n    \n            <a href=\"https:\/\/www.linkedin.com\/shareArticle?mini=true&#038;url=https:\/\/www.withsecure.com\/fr\/ressources\/w-labs\/attack-detection-fundamentals-2021-aws-lab-3\/&#038;title=Attack%20Detection%20Fundamentals%202021:%20AWS%20&#8211;%20Lab%20#3\" target=\"_blank\" rel=\"noreferer noopener\" class=\"wp-component-socials__link\" title=\"Partager sur LinkedIn\">\n            <svg class='edwp-icon edwp-icon--xlg js-icon ' aria-hidden='true'>\n                <use xlink:href='#linkedin'><\/use>\n            <\/svg>        <\/a>\n    \n            <a href=\"http:\/\/x.com\/share?text=Attack Detection Fundamentals 2021: AWS &#8211; Lab #3&#038;url=https:\/\/www.withsecure.com\/fr\/ressources\/w-labs\/attack-detection-fundamentals-2021-aws-lab-3\/\" target=\"_blank\" rel=\"noreferer noopener\" class=\"wp-component-socials__link wp-component-socials__link--twitter\" title=\"Partager sur X (Twitter)\">\n            <svg class='edwp-icon edwp-icon--xlg js-icon ' aria-hidden='true'>\n                <use xlink:href='#x'><\/use>\n            <\/svg>        <\/a>\n    \n    \n    <\/div>\n        <\/div>\n    <\/div>\n<\/section>\n                <\/div>\n                        <\/div>\n<\/section>\n\n\n<section\n    class=\"wp-block-cta-banner edwp-block js-wp-block-cta-banner wp-block-cta-banner--style-icon wp-block-cta-banner--no-image layout--spacing-xxxl-top layout--spacing-xxxl-bottom\"\n    >\n    <div class=\"wp-block-cta-banner__container\">\n        <div class=\"wp-block-cta-banner__box row-load\">\n            <div class=\"wp-component-content wp-component-content--help-text wp-component-content--dark wp-block-cta-banner__content\">\n                        <div class=\"wp-component-content__inner\">\n                <h2 class=\"wp-component-heading text--h2 wp-component-heading--dark wp-component-content__title\">\n    What <span class=\"blue-text\">next?<\/span><\/h2>                                    <div class=\"wp-component-content__content wysiwyg wysiwyg--dark\">\n                        <div class=\"wp-component-paragraph wp-component-paragraph--dark\">\n    <p class=\"text--p-medium\">Discover WithSecure\u2122 Elements Exposure Management.<br \/>\n&#8211; No credit card required. No obligations.No complexity.<\/p>\n<\/div>\n                    <\/div>\n                            <\/div>\n                            <div class=\"wp-component-content__buttons\">\n                <a class=\"wp-component-button btn btn--primary btn--dark\" href=\"https:\/\/www.withsecure.com\/en\/contact-us\/\">Contact us<\/a>            <\/div>\n                <\/div>                    <\/div>\n    <\/div>\n<\/section>\n\n\n\n\n<section\n    class=\"wp-block-cards edwp-block wp-block-cards--col-3 js-wp-block-cards wp-block-cards--show-overflow wp-block-cards--auto-slides-per-view layout--spacing-xxxl-top layout--spacing-xxxl-bottom\"\n    >\n    <div class=\"wp-block-cards__container\">\n        <div class=\"wp-component-content wp-component-content--default wp-block-cards__content\">\n            <h2 class=\"wp-component-heading text--h2 wp-component-content__title\">\n    Related <span class=\"blue-text\">Labs content<\/span><\/h2>                    <div class=\"wp-component-content__inner\">\n                                    <div class=\"wp-component-content__content wysiwyg\">\n                        <div class=\"wp-component-paragraph \">\n    <p class=\"text--p-medium\"><span data-teams=\"true\">Find related content relating to this topic.<\/span><\/p>\n<\/div>\n                    <\/div>\n                                                            <\/div>\n                <\/div>                            <div\n                class=\"swiper wp-block-cards__swiper js-wp-block-cards-swiper\"\n                data-slides-per-view-desktop=\"auto\"\n                data-slides-per-view-tablet=\"auto\"\n                data-slides-per-view-mobile=\"auto\"\n            >\n                <div class=\"swiper-wrapper wp-block-cards__swiper-wrapper row-load\">\n                                            <div class=\"swiper-slide wp-block-cards__slide\">\n                            <div class=\"wp-component-card-insight wp-block-cards__card wp-component-card-insight--highlighted\">\n    <div class=\"wp-component-card-insight__image-wrapper\">\n        <img loading=\"lazy\" decoding=\"async\" width=\"618\" height=\"440\" src=\"https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/placeholder.jpg.webp\" class=\"wp-component-card-insight__image\" alt=\"\" srcset=\"https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/placeholder.jpg.webp 618w, https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/placeholder-300x214.jpg.webp 300w, https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/placeholder-447x318.jpg.webp 447w, https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/placeholder-205x146.jpg.webp 205w\" sizes=\"auto, (max-width: 618px) 100vw, 618px\" \/>                    <p class=\"wp-component-card-insight__content-type\">W\/Labs<\/p>\n            <\/div>\n    <div class=\"wp-component-card-insight__content\">\n                    <div class=\"wp-component-card-insight__meta\">\n                <div class=\"wp-component-card-insight__categories\">\n                                            <span class=\"wp-component-card-insight__category\">Attack Detection<\/span>\n                                            <span class=\"wp-component-card-insight__category\">Software Protection<\/span>\n                                            <span class=\"wp-component-card-insight__category\">Threat intelligence<\/span>\n                                    <\/div>\n            <\/div>\n                            <h3 class=\"wp-component-card-insight__title\">DarkGate Rises: New version of DarkGate malware hunts like a Duck but bites like a RAT<\/h3>\n                                            <p class=\"wp-component-card-insight__desc\">Source: https:\/\/labs.withsecure.com\/publications\/darkgate-rises<\/p>\n                            <div class=\"wp-component-card-insight__button-wrapper\">\n                <a class=\"wp-component-button btn btn--primary btn--dark wp-component-card-insight__button btn--small\" href=\"https:\/\/www.withsecure.com\/fr\/ressources\/w-labs\/darkgate-rises\/\">En savoir plus<\/a>            <\/div>\n            <\/div>\n<\/div>                        <\/div>\n                                            <div class=\"swiper-slide wp-block-cards__slide\">\n                            <div class=\"wp-component-card-insight wp-block-cards__card\">\n    <div class=\"wp-component-card-insight__image-wrapper\">\n        <img loading=\"lazy\" decoding=\"async\" width=\"618\" height=\"440\" src=\"https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/placeholder.jpg.webp\" class=\"wp-component-card-insight__image\" alt=\"\" srcset=\"https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/placeholder.jpg.webp 618w, https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/placeholder-300x214.jpg.webp 300w, https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/placeholder-447x318.jpg.webp 447w, https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/placeholder-205x146.jpg.webp 205w\" sizes=\"auto, (max-width: 618px) 100vw, 618px\" \/>                    <p class=\"wp-component-card-insight__content-type\">W\/Labs<\/p>\n            <\/div>\n    <div class=\"wp-component-card-insight__content\">\n                    <div class=\"wp-component-card-insight__meta\">\n                <div class=\"wp-component-card-insight__categories\">\n                                            <span class=\"wp-component-card-insight__category\">Attack Detection<\/span>\n                                            <span class=\"wp-component-card-insight__category\">Software Protection<\/span>\n                                            <span class=\"wp-component-card-insight__category\">Threat intelligence<\/span>\n                                    <\/div>\n            <\/div>\n                            <h3 class=\"wp-component-card-insight__title\">Reverse engineering a Lumma infection<\/h3>\n                                            <p class=\"wp-component-card-insight__desc\">Lumma is an information stealer that the WithSecure Detection and Response Team (DRT) have encountered several times. It has seen wider use over the past couple of years, and makes for an interesting threat to monitor.<\/p>\n                            <div class=\"wp-component-card-insight__button-wrapper\">\n                <a class=\"wp-component-button btn btn--primary wp-component-card-insight__button btn--small\" href=\"https:\/\/www.withsecure.com\/fr\/ressources\/w-labs\/reverse-engineering-a-lumma-infection\/\">En savoir plus<\/a>            <\/div>\n            <\/div>\n<\/div>                        <\/div>\n                                            <div class=\"swiper-slide wp-block-cards__slide\">\n                            <div class=\"wp-component-card-insight wp-block-cards__card\">\n    <div class=\"wp-component-card-insight__image-wrapper\">\n        <img loading=\"lazy\" decoding=\"async\" width=\"618\" height=\"440\" src=\"https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/placeholder.jpg.webp\" class=\"wp-component-card-insight__image\" alt=\"\" srcset=\"https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/placeholder.jpg.webp 618w, https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/placeholder-300x214.jpg.webp 300w, https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/placeholder-447x318.jpg.webp 447w, https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/placeholder-205x146.jpg.webp 205w\" sizes=\"auto, (max-width: 618px) 100vw, 618px\" \/>                    <p class=\"wp-component-card-insight__content-type\">W\/Labs<\/p>\n            <\/div>\n    <div class=\"wp-component-card-insight__content\">\n                    <div class=\"wp-component-card-insight__meta\">\n                <div class=\"wp-component-card-insight__categories\">\n                                            <span class=\"wp-component-card-insight__category\">AI security<\/span>\n                                            <span class=\"wp-component-card-insight__category\">Attack Detection<\/span>\n                                            <span class=\"wp-component-card-insight__category\">Software Protection<\/span>\n                                    <\/div>\n            <\/div>\n                            <h3 class=\"wp-component-card-insight__title\">Machine learning-driven malware analysis<\/h3>\n                                            <p class=\"wp-component-card-insight__desc\">With the rapid emergence of new malware variants, accurately classifying and attributing malware samples has become more challenging than ever<\/p>\n                            <div class=\"wp-component-card-insight__button-wrapper\">\n                <a class=\"wp-component-button btn btn--primary wp-component-card-insight__button btn--small\" href=\"https:\/\/www.withsecure.com\/fr\/ressources\/w-labs\/machine-learning-driven-malware-analysis\/\">En savoir plus<\/a>            <\/div>\n            <\/div>\n<\/div>                        <\/div>\n                                    <\/div>\n                <div class=\"wp-block-cards__nav fade-in\">\n                    <div class=\"wp-block-cards__pagination js-wp-block-cards-pagination\">\n                    <\/div>\n                    <div class=\"wp-block-cards__nav-arrow js-wp-block-cards-nav-prev\">\n                        <svg class='edwp-icon edwp-icon--reg js-icon ' aria-hidden='true'>\n                <use xlink:href='#chevron'><\/use>\n            <\/svg>                    <\/div>\n                    <div class=\"wp-block-cards__nav-arrow js-wp-block-cards-nav-next\">\n                        <svg class='edwp-icon edwp-icon--reg js-icon ' aria-hidden='true'>\n                <use xlink:href='#chevron'><\/use>\n            <\/svg>                    <\/div>\n                <\/div>\n            <\/div>\n                                    <\/div>\n<\/section>\n","protected":false},"excerpt":{"rendered":"<p>In the final lab of this workshop, we&rsquo;re turning our attention to the customer data S3 bucket we saw in our user&rsquo;s inline policy in lab one. <\/p>\n","protected":false},"author":3,"featured_media":0,"template":"","categories":[306,383,351],"labs_content_type":[309],"class_list":["post-10493","lab_item","type-lab_item","status-publish","hentry","category-attack-detection","category-cloud-security","category-identity-security"],"acf":[],"card":"<div class=\"wp-component-card-insight js-card-link wp-component-card-insight--highlighted\">\n    <div class=\"wp-component-card-insight__image-wrapper\">\n        <img width=\"618\" height=\"440\" src=\"https:\/\/www.withsecure.com\/wp-content\/uploads\/2026\/05\/placeholder.jpg\" class=\"wp-component-card-insight__image\" alt=\"\" decoding=\"async\" loading=\"lazy\" srcset=\"https:\/\/www.withsecure.com\/wp-content\/uploads\/2026\/05\/placeholder.jpg 618w, https:\/\/www.withsecure.com\/wp-content\/uploads\/2026\/05\/placeholder-300x214.jpg 300w, https:\/\/www.withsecure.com\/wp-content\/uploads\/2026\/05\/placeholder-447x318.jpg 447w, https:\/\/www.withsecure.com\/wp-content\/uploads\/2026\/05\/placeholder-205x146.jpg 205w\" sizes=\"auto, (max-width: 618px) 100vw, 618px\" \/>                    <p class=\"wp-component-card-insight__content-type\">W\/Labs<\/p>\n            <\/div>\n    <div class=\"wp-component-card-insight__content\">\n                    <div class=\"wp-component-card-insight__meta\">\n                <div class=\"wp-component-card-insight__categories\">\n                                            <span class=\"wp-component-card-insight__category\">Attack Detection<\/span>\n                                            <span class=\"wp-component-card-insight__category\">Cloud Security<\/span>\n                                            <span class=\"wp-component-card-insight__category\">Identity security<\/span>\n                                    <\/div>\n            <\/div>\n                            <h3 class=\"wp-component-card-insight__title\">Attack Detection Fundamentals 2021: AWS &#8211; Lab #3<\/h3>\n                                            <p class=\"wp-component-card-insight__desc\">In the final lab of this workshop, we&#039;re turning our attention to the customer data S3 bucket we saw in our user&#039;s inline policy in lab one. <\/p>\n                            <div class=\"wp-component-card-insight__button-wrapper\">\n                <a class=\"wp-component-button btn btn--primary btn--dark wp-component-card-insight__button btn--small\" href=\"https:\/\/www.withsecure.com\/fr\/ressources\/w-labs\/attack-detection-fundamentals-2021-aws-lab-3\/\">En savoir plus<\/a>            <\/div>\n            <\/div>\n<\/div>","_links":{"self":[{"href":"https:\/\/www.withsecure.com\/fr\/wp-json\/wp\/v2\/lab_item\/10493","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.withsecure.com\/fr\/wp-json\/wp\/v2\/lab_item"}],"about":[{"href":"https:\/\/www.withsecure.com\/fr\/wp-json\/wp\/v2\/types\/lab_item"}],"author":[{"embeddable":true,"href":"https:\/\/www.withsecure.com\/fr\/wp-json\/wp\/v2\/users\/3"}],"wp:attachment":[{"href":"https:\/\/www.withsecure.com\/fr\/wp-json\/wp\/v2\/media?parent=10493"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.withsecure.com\/fr\/wp-json\/wp\/v2\/categories?post=10493"},{"taxonomy":"labs_content_type","embeddable":true,"href":"https:\/\/www.withsecure.com\/fr\/wp-json\/wp\/v2\/labs_content_type?post=10493"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}